Downloading file from 0 privilege folder

[nituvious]

Hello, I am trying to write a download manager for my small website. And I come up with the idea of setting my download folder to not allow reading, writing or execution by the public because I want my php function to initialize the download.

 

My main reason for this would be something like ip or login based downloads and such. I don't want people to use the direct url(e.g, http://mysite.com/file.zip). I want them to go through my php file first.

 

Can someone enlighten me on this? I have attempted readfile, fpassthru, include, fopen, etc but I just can't seem to get it right. I am still pretty new to PHP and I don't know if what I want to do is even possible.

So before I further strain my feeble mind, can someone point me in the right direction?

[nituvious]

Oh and I am using php 5

[gizmola]

So, you can obviously do this, and use some of the functions you listed. 

 

As you surmised, you need to have a download script that implements the technique, however, whatever process PHP is running as does need permissions to the directory(s) where you store the files.  The key think is that this directory should not be under the "web root" so there is no way for a user to have a direct link to the file.  This script could be called with a simple get parameter:

 

download.php?file=filename

 

You can secure this using whatever authentication scheme you like.  Often people have a system that implements a login facilitated by php session handling, and when they instantiate the session, that code will immediately check that the user is logged in and if not user header() to redirect them to the login page and die().

 

Your download script can include the same code, and voila, you have a download script that will return people files they can not get to directly, but only works for them when they are logged into the system.

[nituvious]

Alright, well, I have created my new "downloads" folder. I don't know what its called, I guess the root directory?

E.g,:

+MySite.com
+Pages
  - Download.php
Index.php
+Downloads
File.zip

Hope its understandable.. Anyway, how would I actually initiate the download? I've attempted to use Readfile($file), but that just opens as a text document, it doesn't start the download, so I read a bit further into it and php.net has a great example of what I need. However, it uses headers and I return errors because my index.php is basically this, but keep in mind its not my actual site, since I don't have access to it right now, but its basically the same thing:

 

Index.php

<?PHP 
/*
	Website was really really bad.
	This is the rewrite.

	TODO List:
	Comment every f***in' line so I don't have to redo the whole god d**n thing again.
*/
function myfunction($web) {
	$id = $_GET["web"];
	if ($id == "file1.zip") {
		include("pages/download.php");
	}
}
?>
<html>
<body>
<?PHP MyFunction($web); ?>
</body>
</html>

 

Download.php

<?PHP
$file = "../downloads/$id"
if (file_exists($file)) {
	header('Content-Description: File Transfer');
	header('Content-Type: application/octet-stream');
	header('Content-Disposition: attachment; filename='.basename($file));
	header('Content-Transfer-Encoding: binary');
	header('Expires: 0');
	header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
	header('Pragma: public');
	header('Content-Length: ' . filesize($file));
	ob_clean();
	flush();
	readfile($file);
}
?>

 

Apparently, headers cannot be used after html is called? How can I remedy this?

And I realize that the above code isn't good, its just an example since I don't have ftp with me right now.

 

[gizmola]

Yes, you are correct about the header() function --- it needs to be used first.  This is because its purpose is to set values in the http header, so once http packets are flowing, it's too late to set the header. 

 

With that said, it looks like you have the basic structure in place.  However, rather than trying to include download, what you should have is an anchor tag pointing to your download.php url.  You can then use javascript to click that link automatically.  Usually people will have the link say:  "If your download does not start automatically clink on this link to download the file"  or something similar.